1 METHOD OF AUTHENTICATING USER ACCESS TO 

2 NETWORK STATIONS 

3 BACKGROUND OF THE INVENTION 

4 1 . Field of the Invention 

5 The present invention relates to a method of authenticating user access to 

6 network stations, especially to an authentication method making use of a net entry 

7 apparatus possessing a cryptography security mechanism to establish two-way 

8 communication with an authentication server and an application server through a 

9 host computer, whereby a machine-independent token is generated and sent to the 

10 application server for verification of a user ID to control access to specific network 

1 1 station for on-line transactions. This authentication system is able to enhance 

12 Internet security by obviating the input of user IDs and passwords by users, thus 

13 freeing users from having to memorize many different passwords and minimizing 

14 the risk of account numbers and passwords being stolen. 

15 2. Description of Related Arts 

1 6 Internet services are expanding rapidly because the Internet technology 

1 7 has created an information super highway across national and geographical 

18 boundaries. Network users are able to conduct a variety of on-line transactions 

19 through network computers, notebook computers, and the latest cellular phones, 

20 realizing the dream of virtual offices and real-time transactions through the 

2 1 Internet. 

22 Many kinds of network services have been developed over the past years, 

23 such as electronic commerce, electronic shopping, network games, and network 

24 financial services. However, these new forms of network activities also give rise to 



1 network crimes and security problems. As an example, network games have 

2 gained wide popularity in the Asian region, but the crime rate of stealing account 

3 numbers and passwords is also rising fast. The perpetrators are somehow able to 

4 intercept the personal information of game players through the network 

5 connections, no matter the players are playing at home or in a network cafe. Thus 

6 far, there has been no effective means to prevent the stealing of account numbers 

7 and passwords. 

8 In network financial services, many people have used on-line services 

9 offered by financial institutions to handle their personal financial affairs for work 

10 efficiency and to gain access to the resources available on the Internet. These on- 

1 1 line services range from network banking, transfers of funds, payment of utility 

12 bills, to stock transactions. Nevertheless, for all these services, users still need to 

13 apply for the right to access the network services by filling out many personal data 

14 forms to verify their user IDs. Furthermore, users have to enter their user IDs 

15 and passwords each time when they want to gain access to the network stations. In 

16 some ways, users may have to take the risk of exposing their personal information 

17 to other persons in the process of inputting user IDs and passwords. 

1 8 At present, most software programs of network banking are installed with 

19 SSL 128-bit high compression security encryption and are certified by 

20 international institutions to enhance Internet security. Yet, in many instances, the 

21 user's operation to gain access to the network services is not very user friendly. 

22 For ease in memorization, many users simply use one set of password and user ID 

23 for all network accounts. If a perpetrator is able to steal that set of user ID and 

24 password, then the thief can break into all network accounts with the same user ID 



2 



1 without farther checks. On the other hand, if the user sets up different user ID and 

2 passwords for different accounts, then this will require memorization of many 

3 numbers, which might not be easy as the opportunity of using user IDs and 

4 passwords to access network services gets higher every day. Therefore, the public 

5 demands a more user-friendly operation to access network stations. 

6 SUMMARY OF THE INVENTION 



7 The main object of the present invention is to provide a method of 

8 authenticating user access to network stations for on-line transactions, obviating 

9 the input of user IDs and passwords by users, yet ensuring Internet security. 

10 To this end, the instrumentalities of the present invention include a two- 



1 1 stage authentication process. The first- stage authentication includes the 

12 establishing of two-way communication between a net entry apparatus possessing 

13 the cryptography security mechanism and an authentication server through a host 

14 computer, whereby the authentication server generates a network key after 

15 verifying the identity of the net entry apparatus, comprising the steps of 



16 activating the user ID authentication mechanism; 

17 reading off the basic data or user ID of the net entry apparatus by a host 

1 8 computer and sending them to the authentication seiver; 

19 sending a random number test key, by the authentication server, back to 

20 the net entry apparatus within a preset time, and keeping a copy of the random 

21 number test key in the authentication server; 

22 encrypting the received test key with a private key embedded in the net 

23 entiy apparatus and then sending the encrypted data back to the authentication 
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1 server; 

2 retrieving the other copy of the random number test key for encryption 

3 with a symmetrical copy of the private key by the authentication server and 

4 comparing it with the encrypted data received from the host computer; if the two 

5 test keys correspond with each other, the authentication server then generates a 

6 network key. 



7 The second-stage authentication starts after the generation of the network 

8 key, comprising the steps of: 

9 encrypting a token with the network key, by the authentication server, and 

10 then sending the encrypted token to the host computer; 

1 1 sending the encrypted token, by the host computer, to an application 

12 server for intended on-line transactions; 

13 receiving the encrypted token, by the application server, and passing it to 

14 the authentication server for verification; 

15 decrypting the token received, by the authentication server, and then 

16 comparing it with the original token; and 

17 informing the application server that the user ID is valid, if the tokens 

18 correspond with each other; otherwise the user ID is invalid if the tokens do not 

19 match. 

20 The second object of the present invention is to provide a net entry 

21 apparatus having the capability of creating cryptography security, comprising: 

22 a microprocessor for internal computation; 

23 a connection interface for linking up with the host computer; 
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1 an encryption unit for generating encrypted data; and 

2 a system memory for temporarily saving of a user ID from the net entry 

3 apparatus and the random number test key. 

4 The above-mentioned microprocessor, in accordance with the present 

5 invention, is equipped with RISC capability. 

6 The above-mentioned connection interface, in accordance with the present 

7 invention, has a USB 1.1 interface. 

8 The above mentioned encryption unit, in accordance with the present 

9 invention, employs a high compression security standard of AES 128-256 bits or a 

10 regular security standard complying with RSA, DES, 3DES, MD5, MD2, and 

11 SHA-1. 

12 The above mentioned system memory, in accordance with the invention, 

13 can be formed by read-only memory, dynamic random access memory, and 

14 erasable programmable read-only memory. 

15 The features and structure of the present invention will be more clearly 

16 understood when taken in conjunction with the accompanying figures. 

17 BRIEF DESCRIP TION OF THE D RAWING S 

18 Fig. 1 system architecture of a possible implementation of the present 

19 invention; 

20 Figs. 2-4 show a flow chart of the authentication process of the present 

21 invention; and 

22 Fig. 5 is a block diagram of a net entry apparatus for the present invention. 
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1 DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

2 The architecture of the authentication system, as shown in Fig. 1 includes 

3 a host computer (10), an authentication server (20), an application server (30) and 

4 a net entry apparatus (40). The authentication process is activated when the 

5 application server (30) needs to verify the user ID, whereby the net entry apparatus 

6 (40) possessing the cryptography security mechanism is connected to the 

7 authentication server (20) through the host computer (10). 

8 The host computer (10) is used to establish two-way communication with 

9 the authentication server (20) through the network connection to obtain a network 

10 key after successful verification of the user ID. In the process, a token is generated 

11 by a dynamic process, which is then passed to the application server (30). The 

12 application server (30) is a network station on the Internet to which the user 

13 intends to gain access. The net entry apparatus (40) is also linked with the 

14 application server (30) through the host computer (10) for verifying the token sent 

1 5 by the host computer (10). 



16 The authentication is a two-stage process. The first stage authentication 

17 process, as shown by Figs. 2-4, includes the steps of: 

18 activating the authentication mechanism, by the authentication server (20), 

19 when a user attempts to gain access to a network station or application server (30) 

20 with a net entry apparatus (40) (201); 

21 reading off the basic data or user ID of the net entry apparatus (40), by the 

22 host computer (10), and sending the user ID over the Internet to the 

23 authentication server (20) (202); 

24 sending out a random number test key to the net entry apparatus (40), by 
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1 the authentication server (20), on receiving the user ID of the net entry apparatus 

2 (40), within a preset time, and keeping a copy in the authentication server (20) 

3 (203), wherein the contents of the random number test key are created by a 

4 random process; 

5 encrypting the received random number test key, by the net entry 

6 apparatus (40), with an embedded private key, after the host computer (10) has 

7 received the random number test key from the authentication server (20), and 

8 sending the encrypted random number test key back to the authentication server 

9 (20) (204); wherein the above net entry apparatus (40) can employ a high 

10 compression security standard of AES 128-256 bits or a regular security standard 

1 1 complying with RSA, DES, 3DES, MD5, MD2, and SHA-1 ; 

1 2 retrieving an own copy of a random number test key for encryption with a 

13 symmetrical private key, by the authentication server (20), and then comparing it 

14 with the encrypted random number test key sent from the host computer (10); and 

1 5 then generating a network key dynamically, by the authentication server (20), if 

16 the two test keys correspond with each other (205), wherein each network key is 

17 unique and will be automatically deleted after a certain time. 



18 The above-mentioned process represents the first stage authentication of 

19 user identification conducted between the host computer (10) and the 

20 authentication server (20). The second stage authentication starts after the 

21 generation of the network key, as shown in Figs. 2-4, including the steps of: 

22 encrypting a token with the network key, by the authentication server (20), 

23 and passing the encrypted token to the host computer (10) (206); 

24 receiving the encrypted token, by the host computer (10), and passing it to 
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1 the application server (30) intended to gain access for on-line transactions (207); 

2 passing the received token to the authentication server (20), by the 

3 application server (30), for verification (208); 

4 decrypting the returned token, by the authentication server (20) (209); 

5 comparing the decrypted token with the original token (210); 

6 sending a message to the application server (30) notifying that the user ID 

7 is valid, if the two tokens correspond with each other (211); otherwise, the user ID 

8 is invalid, if the two tokens do not match (212). 

9 The important feature of the present invention is that the user requesting 



10 access to an application server (30) for on-line transactions does not need to input 

11 a user ID and password in the authentication process; instead, only a net entry 

12 apparatus (40) has to be used to link up with a host computer (10), through which 

13 a two-way communication is established with the authentication server (20) and 

14 the application server (30). The authentication mechanism is activated by the 

15 application server (30) that needs to verify the user ID of the net entry apparatus 

16 (40), which is connected to the authentication server (20) through the host 

17 computer (10). In the authentication process, a set of test key, network key and 

1 8 token is generated by the authentication server (20) and passed back to the host 

19 computer (10). One copy of the token is issued to the application server (30) 

20 through the host computer (10), and the other copy is kept by the authentication 

21 server (20). When the application server (30) receives the token, the application 

22 server (32) returns the token to the authentication server (20) for verification. Then, 

23 the authentication server (20) retrieves the original token to compare with the 

24 returned token. Then, the application server (30) is notified of the validity of the 
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1 user ID. 

2 Since the user does not need to input the user ID and password when 

3 trying to access the network station or application server, the authentication system 

4 can prevent stealing or intercepting of user IDs and passwords by unauthorized 

5 persons. 

6 When the user attempts to gain access to a different network station, the 



7 above mentioned authentication process will be performed all over again, and a 

8 new set of random number test key, network key and token will be generated in 

9 another authentication process, but the user does not need to use different user IDs 

10 and passwords to operate network accounts on different systems. The 

1 1 authentication system has the advantages of freeing users from having to 

12 memorize many different numbers and preventing the stealing of user IDs and 

13 passwords for criminal purposes. 



14 The above-mentioned net entry apparatus (40) can be implemented as 

15 shown in Fig. 5, comprising: 

1 6 a microprocessor (4 1 ) for encryption of data, being equipped with RISC 

1 7 capability, but it can also be implemented with a low-end processor to reduce 

1 8 costs; 

1 9 a connection interface (42) having a USB 1 . 1 interface for linking with a 

20 host computer ( 1 0); 

21 an encryption unit (43) for creating encrypted data, wherein the encryption 

22 unit can be installed with a high compression standard of AES 128-256 bits or a 

23 regular security standard complying with RSA, DES, 3DES, MD5, MD2, and 

24 SHA-1; 
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1 a system memory (44) for temporarily saving of a user ID of the net entry 

2 apparatus (40) and the random number test key, wherein the system memory can 

3 be formed by read-only memory, dynamic random access memory, and erasable 

4 programmable read-only memory. 

5 Since the net entry apparatus (40) is equipped with a USB interface, it 

6 does not need a card reader as in those systems operated by a contact/non-contact 

7 memory cards, IC cards, smart cards, etc. Since most personal computers and 

8 notebook computers can support a USB interface, and the net entry apparatus (40) 

9 is compatible with an HID interface, the net entry apparatus (40) has plug-and- 

10 play characteristics, that means the authentication system can be up and running 

1 1 without needing software drivers, making it simpler to operate than conventional 

12 contact/non-contact memory cards, IC cards, or smart cards. 

13 The present invention is also characterized in that each net entry apparatus 

14 has a unique digital signature, representing the user ID that cannot be duplicated. 

15 Each net entry apparatus is embedded with a private key that contains a long bit 

16 string that is burnt into the processor using a chip programmer. After writing in the 

17 necessary data, a large current is applied on the I/O pins of the chip to break off all 

18 connection points to make the chip isolated from outside circuits. In the key 

19 burning process, only the authentication server possesses a copy of the private key 

20 corresponding to the private key in the net entry apparatus. The only way to obtain 

21 the user ID stored in the net entry apparatus is to use a computer with a USB 

22 connection interface to read off the data from the net entry apparatus that has to be 

23 decrypted with the private key. 

24 For extra protection and for users accustomed to the conventional 
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1 authentication systems, an initial password can be used to activate the net entry 

2 apparatus, which is not to be transmitted over the network. An initial password is 

3 only required when the net entry apparatus links up with a host computer, and only 

4 when the initial password check is passed is the net entry apparatus then able to 

5 make a request to access an application server. 

6 From the above description, the design of the net entry apparatus, in 

7 accordance with the present invention, is also suitable for many different 

8 applications, such as checking of player identification in network games, secured 

9 electronic documents for government offices, secured electronic banking services 

10 and electronic commerce, management of a patient's medical history, and 

1 1 authentication of user access to national and military entities. 

12 The foregoing description of the preferred embodiments of the present 

1 3 invention is intended to be illustrative only and, under no circumstances, should 

14 the scope of the present invention be so restricted. 
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